tdl3 rootkit browsers hook to directdr.com & urbtk.com

nailzuk · 14 Dec 2009

this is a 3rd generation tdl rootkit (tdl3)

for 1 week i fought with this nasty wee rootkit, tried loads of online scanners rootkit scanners nothin helped, then i searched for .dlls viewed by date found a couple which lokked shady googled em and sure enuff malware, after deleting them i was still getting redirects, and the bugger fried a 250gb hdd external drive, by writing malicious code to disk so i lost all the data, was full of bad sectors never seen a hdd so corrupt, also i noticed that my c drive was not showing in disk management, and all drive letters in removable drive ports had exclamation marks, tried updating drivers to no avail, all the while still getting redirects in google search from directdr.com and urbtk.com everyone told me to format c and i was just about to when i thought id roll the dice once more, id read on forums that combofix wouldnt run on windows 7, as i was gonna format i decided to give it a go, if anyone trying this fix please disable all scanners av & adware and firewall/win defender, i ran combofix in safe mode, got a warning about compatibility issues then a box tellin me the combofix was only a beta build, i clicked yes to let it proceed, very important not to touch youre keyboard or mouse unless promped whilst combofx is running, it had barely started the scan when "rootkit activity detected" combofix needs to reboot ur machine, i let it boot into normal mode combofix carried on till it f inished its 50 stages then told me nvstor.sys was infected and disenfected (explains the hdd issues) its the hd controller since then (yesterday)machine running like new, once completed search for .tdl files on c yk62x86.dll vp7vfw.dll umstartup.etl startup.etl. nvstor.sys [affected tdl3 files] 3 cheers for combofix only thing that found and killed this nasty wee sleekit beastie,
p.s * stay away from cracks/keygens , crack really does f**k you up

'
* Sysinternals Forums - Rootkit TDL 3 - Page 1

peace out stay safe/ isnt 7 da bomb . hijack this gmer are usless against this so are most av scanners, hitman pro 3.5 sposed to detect dont know bout disenfectin crucial .sys files tho, id stick with combo, apparently this rootkit is spreading like wildfire. it goes undetected as it enters via spools.exe which is a trusted windows file, then injects malicious code into winlogon.exe, if ur av has flagged any activity in spools folder lately u been bitten, took me 1 week 2 clean i wouldnt give in everyone tellin me 2 format and reinstall but my motto is "no surrender", nailzuk glasgow scotland, uk

IggyAZ · 15 Dec 2009

Thanks for the update and suggestion for Hitman Pro V3.5
I plan to use it today ont he infected system via Remote Aceess on my brothers computer.
It seems that it is the only thing that fully removes TDL3.

Are you still clean?
Have you seen any aftereffects that may have been left behind?

Thanks
Iggy

Jacee · 15 Dec 2009

IggyAZ, after running Hitman Pro V3.5 on your brother's machine, fulsh the DNS cache and restore Windows Hosts files:
Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Next, run MalwareBytes' Anti-Malware.

I personally will not deal with Rootkits. You can never be sure if the OS will ever be stable again. Therefore, I suggest a wipe and clean install.

IggyAZ · 15 Dec 2009

Thanks nailzuk for your advice to download and run Hitman Pro.
It found and removed tdl3 Rootkit virus. Brother is very happy.
Thanks again

nailzuk · 15 Dec 2009

yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it read only, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;

nailzuk · 15 Dec 2009

pleased to hear it m8 u gettin a good xmas present from ur bros now :))

IggyAZ · 15 Dec 2009

nailzuk said:

yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it readable, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;

He only uses it to login to Hotmail and browse around. No banking or buying anything online. I have been trying to educate him as I go but sometimes I don't think he gets it. lol

Anyway he's clean for the moment and I have all his pictures and docs backed up on CD's I have no idea what I would have done for him without MS Remote Access.

Thanks again and have a merry hoho or whatever.

Iggy in the cool part of Arizona

gamepro127 · 15 Dec 2009

Do a scan with Hitman Pro 3.5
Now, Go to start, Type RUN, hit Enter. Type/copy and paste this:
C:\windows\system32\drivers\etc
Open up HOSTS file in notepad and delete what you think is bad...You'll know it when you see it!

I could make a BAT file to do this but im too lazy and its a little late
=P

Jacee · 16 Dec 2009

Combofix was pulled yesterday (due to arising problems with the scanner and until further notice) .... it doesn't work with Windows 7. I'm curious to know what version you have that (you say) "fixed" your problem.

nailzuk · 16 Dec 2009

windows 7 32 bit 7600 oem pc appears fine as i said it was a beta build of combo i used and it disenfected corrupt .sys file (kitty ate it) hope this satisfies ur curiosity

this was the message i got when starting combo ........
This is a BETA version ComboFix mean for compatibility testing --_ !! WARNING !! --- Under no circumstances should this be run on a live machine. Heed this warning or be prepared to buy a new machine
i let it run .
and this is the version of combo i used,
http://www.software112.com/search-program

ive been googlin to try and find news on combo being "pulled" cant seem to find anythin plz post a link to satisfy my curiosity

as i said above i had read in numerous posts that combo wasnt compatible with 7 but as i was gonna format i gave it a try and what can i say, it seems to have done the trick. nailzuk, glasgow,scotland,U.K